You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Dave Jenkins <da...@silk-newmedia.com> on 2000/08/17 18:32:57 UTC
@INC still tainted :-(
Hi,
Sorry if it's a breach of etiquette to re-post a query, and I'm doubly sorry if
it turns out to have been a particularly stupid question, but I've still not
found a solution or any clues. If I'm missing something obvious or just being
plain daft, feel free to mail me privately to avoid wasting more bandwidth!
Thanks,
Dave
--
Dave Jenkins
Silk New Media
---------- Forwarded Message ----------
Subject: Tainted @INC
Date: Tue, 15 Aug 2000 15:02:26 +0100
From: Dave Jenkins <da...@silk-newmedia.com>
Hi,
I'd appreciate some help with a nasty little intermittent problem.
I'm running...
Apache/1.3.9 (Unix) mod_perl/1.21 mod_ssl/2.4.9 OpenSSL/0.9.4
on a SuSE 6.2 box (2.2.10 kernel)
Mostly everything is fine, but now and then the following error appears. When
it does, it occurs every few requests, so presumably infects one or two of the
running Apache processes. It's cured by a restart (until the next time it
happens!)
----------------------------------------------------
[error] Insecure dependency in require while running with -T switch at <blah>
----------------------------------------------------
The relevant line in <blah> is a 'use' statement, such as
use Time::Local 'timegm';
I tried to find whether the problem was due to something dodgey getting into
@INC, by running the test script inctest.cgi, attached (is_tainted function
lifted from Camel book). If I run this after getting the above error message,
it indicates that every element of @INC is tainted.
I've looked at the "@INC and mod_perl" page in the guide. In httpd.conf I have
PerlTaintCheck On and I'm not setting PERL5LIB. My startup.pl doesn't do
anything with 'use lib'.
Thanks in advance for any advice,
Dave
--
Dave Jenkins
Silk New Media
Re: @INC still tainted :-(
Posted by Stas Bekman <st...@stason.org>.
On Thu, 17 Aug 2000, Dave Jenkins wrote:
> I'd appreciate some help with a nasty little intermittent problem.
>
> I'm running...
> Apache/1.3.9 (Unix) mod_perl/1.21 mod_ssl/2.4.9 OpenSSL/0.9.4
> on a SuSE 6.2 box (2.2.10 kernel)
>
> Mostly everything is fine, but now and then the following error appears. When
> it does, it occurs every few requests, so presumably infects one or two of the
> running Apache processes. It's cured by a restart (until the next time it
> happens!)
> ----------------------------------------------------
> [error] Insecure dependency in require while running with -T switch at <blah>
> ----------------------------------------------------
> The relevant line in <blah> is a 'use' statement, such as
> use Time::Local 'timegm';
Hmm, did you read the perlsec manpage?
It suggests the following cure:
$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
Give it a try.
Also there is a Taint.pm module on CPAN but I don't see how it should help
here. Apparently some code in Time::Local is not taint-clean.
> I tried to find whether the problem was due to something dodgey getting into
> @INC, by running the test script inctest.cgi, attached (is_tainted function
> lifted from Camel book). If I run this after getting the above error message,
> it indicates that every element of @INC is tainted.
>
> I've looked at the "@INC and mod_perl" page in the guide. In httpd.conf I have
> PerlTaintCheck On and I'm not setting PERL5LIB. My startup.pl doesn't do
> anything with 'use lib'.
>
> Thanks in advance for any advice,
>
> Dave
> --
> Dave Jenkins
> Silk New Media
>
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:stas@stason.org http://apachetoday.com http://jazzvalley.com
http://singlesheaven.com http://perlmonth.com perl.org apache.org